Load-Time Function Hijacking ( via Shared object injection)

0x0fy · August 14, 2020, 9:11pm

Hello guys, welcome to my writeup. I will get to the subject without further ado

First of all, we need to know;

Load-Time: Before a software starts running, it has a load time. It installs its requirements until the program is fully functional (Libraries, Memory Regions)

Function Hooking: Replacing or editing a function given in the software with a fake function.

See the Functions used by a software;

You can use the ftrace binarys used by the majority in linux to see the functions used in the software.

Let’s Start
Now I assume that we open linux and compile the following code:

#include <stdio.h>

int main(){

  puts("Hello world !");

}

Compiling : gcc hello.c -o hello

What we’re going to do now is to replace this set function with the fake sets we provided at load time. Thus, the function we wrote will work, not the function written in the program.

Writing the Fake library to hook the function:

For the puts function, the creation of the fake library is as follows:

     
#include <stdio.h>
#include <unistd.h>
#include <dlfcn.h>
 
int puts(const char *message) {
 
  int (*new_puts)(const char *message);
 
  new_puts = dlsym(RTLD_NEXT, "puts");
 
  return new_puts("Hijacked!");
}

The library is simply puts (); Creates a fake of the function dlsym (); allows it to replace the original thanks to its function.

The dlsym(); function takes two arguments. The first of these, the RTLD_NEXT enum, tells the dynamic loader API part to return to the next instance linked with the 2nd argument. The last argument is asking for the name of the sample to be returned to, and this is the puts function, which we will substitute forged.

return new_puts(“Hijacked!”);

Here, puts (); The function that will replace the function is specified.

Compiling the library and transferring it to LD_PRELOAD

Compiling The Library :

gcc evil_library.c -o evil_library.so -fPIC -shared -ldl -D_GNU_SOURCE

The LD_PRELOAD environment variable can execute the library we provided at the moment the running software starts, so that we can manipulate the software.

In summary, when we assign the .Library path to the LD_PRELOAD environment variable, the library is enclosed in the running file.

Export our library to LD_PRELOAD environment variable with export command

export LD_PRELOAD="/home/mehmet/evil_library.so"

Now, when our program is run, instead of “Hello world”, “Hijacked!” He will give our message.

messede · August 15, 2020, 4:10am

Nice write up , but wouldn’t this hijack puts call for all binaries across the system ? , wouldn’t it be wise to check the caller before performing the hijack ? , and how could we do that ? , also would it be possible to hijack SSL encryption routines of a binaries to retrieve plaintext HTTP (particularly in cases where a binary employs SSL pinning and reversing is not up your alley).

0x0fy · August 15, 2020, 6:54am

Yes, as you said, all binaries on the system using puts function are affected. Unless the LD_PORELOAD environment variable is changed. I haven’t found a solution for this yet.

And Yes, this is already a method used to Bypass Anti Debugging systems and SSL Pinning. I could write a writeup for this in the future.

messede · August 16, 2020, 4:12am

I 'm sharing this just in case somebody need it :

system · December 14, 2020, 1:17pm

This topic was automatically closed after 121 days. New replies are no longer allowed.